documentation used to ascertain compliance,
relative to the filing, for five years. These could
be subject to NY DFS inspection and should be
regarded as key business documentation and
subject to treatment under your organization’s formal
records management program.

APPROACH TO MEETINGTHE REQUIREMENTS

Since a risk assessment is a baseline activity for
many sections of Part 500, this should be an ini-tial
activity. This assessment should include, as part of
the scope, an organization’s business op-erations,
technology environment, and threat landscape.
The result becomes the basis for secu-rity controls
definition and program policy structure. Part of this
assessment process includes knowing where your
data is and who has access to it. Mapping your
business processes and data flows is essential to
completing any risk assessment that focuses on data
protection. The risk assessment should be updated
periodically as the business, technology environment
and threat landscape changes.

Identify appropriate resources to lead andmaintain the program including a CISO. If this posi-tion already exists within your organization, makesure the CISO understands their role in meet-ingthis new regulation. As with many new complianceactivities, this is a team sport. Partner with IT, legal,and business operations to understand and developthe appropriate program changes and updates tomeet this new regulation.

While this is the most comprehensive
cybersecurity requirement we have seen at the
state level, it may not be the only one over time. A
well-designed, risk-based cybersecurity program
will provide a solid basis for meeting NY DFS Part
500 and should require only modest updates and
process changes to obtain compliance and submit
your annual filing with confidence.

Shawn H. Malone is Founder and CEO of Security
Diligence, LLC and is a former security and
business compliance executive in the mortgage
insurance industry. He can be reached at SMalone@
SecDiligence.com